[users@httpd] Is this method OK to authenticate users from a CGI app

[Andrus <ee...@online.ee>]

I need to authenitcate users from my CGI application without Apache.

Assuming that

1. I have a table with three fields: user_name, password, ssl_session_id

2. I use SSL protocol always in browser.

3. Each user is allowed to login only once to my CGI app.


My algorithm:

1. In beginning of every CGI method, seek Users table for a SSL_Session_Id.
If found, continue processing.

2. If SSL Session Id is not found, send a HTTP Redirect to a
login form.

3. Login form returns two form variables:
Username and password.
Login form action script handler seeks users table for returned user name
and compares the password. If this is OK, it stores the ssl session id to
users table SSL_Session_Id field.

I have little knowledge about SSL Session Id behaviour.

It this authentication method OK ?

Will each SSL Session will present a unique ssl session id
from browser to a CGI app ?



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org